Windows 10 Exec Flag

[dgmcdona]

Hi, I just noticed that you added a flag for parsing execution on Windows 10/11 systems. Do you have any information you can share about how you came to that conclusion? I haven't seen anything online about it and as far as I can tell the prior consensus was that you can't determine execution on Windows 10.

[EricZimmerman]

Sure. I did my own testing on Windows 11 and set up a scenario where I copied multiple files with different names into different directories and ran some of them

The ones that I have marked as being executed were the ones that showed up in the registry with the last four bites in the entry being a one as opposed to a zero

Not sure what else to add, but you can certainly do your own testing and observe my same conclusions at least on a windows 11 system

It's not unusual for things not to be available online, especially in light of the fact that stuff like this is not documented and we figure these things out primarily based on reverse engineering things

[EricZimmerman]

[dgmcdona]

Thanks for the swift reply and for sharing your notes, I appreciate it. I'll run some experiments and see what I find.

[naacbin]

After some testing it seems that 0 or 1 are not the only values that exists for the last 4 bytes.

A first computer (Windows 10 Pro 10.0.19044):

Occurrence	4 end bytes
734	00 00 00 00
197	01 00 00 00
64	64 86 00 00
3	02 00 00 00
2	4c 01 00 00

A second computer (Windows 11 Enterprise Evaluation 10.0.22621):

Occurrence	4 end bytes
264	00 00 00 00
121	64 86 00 00
80	01 00 00 00
2	02 00 00 00
1	4c 01 00 00
1	64 86 4c 01

I used the following CyberChef recipe to extract the last 4 bytes :

Split('-31-30-74-73','\\n')
Fork('\\n','\\n',false)
Regular_expression('User defined','[0-9A-F-]{11}$',true,true,false,false,false,false,'List matches')
Merge(true)
Unique('Line feed',true)

[EricZimmerman]

need more info here. how do the non 0 bytes align with the executable actually running? thats the real thing we need locked down